Analysing Dos And Ddos Defence Techniques Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


The DOS (Denial of Service) attack is used to prevent the legitimate users from using the network resources or services. The sophistication in performing DOS attacks has led to the rapid growth of these attacks. This research paper discusses about the DOS attacks and the techniques used to prevent these attacks. Every prevention technique has unique advantages and disadvantages over other techniques; this paper proposes the suitable conditions for each prevention technique under different environments.


The main aim of this paper is to analyse the DOS and DDOS (Distributed Denial of Service) defence techniques, and to determine the ideal environment for deploying each defence technique.


The first objective is to explore the background and procedure of DOS and DDOS attack.

Performing a simple DOS attack, to show the easiness involved in DOS attacks.

To analyse the tools involved in DOS or DDOS attacks.

Examining the evolution of Tools, by analysing the attack procedure followed by a latest DDOS attack tool called LOIC.

To analyse the defence techniques employed for DOS or DDOS attacks.

To critically evaluate the defence techniques based on the attack environments.


The Internet, from the time it was invented, it brought speed, flexibility, and ease in gathering information for the computer users. The number of computer users increased gradually, as there was increase in number of vulnerabilities reported. Among all the vulnerabilities reported in the current world, DOS attacks are considered to be major threats.

Denial of Service Attack:

A Denial of Service (DOS) attack targets the computer or its network, and prevents the legitimate users from accessing its resources or services. These attacks have become very common on the Internet because, they are much easier to accomplish than remotely gaining administrative access to a target system. The DOS attacks can be classified into logic attacks and resource exhaustion flooding attacks. Logic attacks are used to cause security vulnerabilities, to crash a server, or to reduce performance. Resource exhaustion flooding attacks cause the server's or network's resources to be consumed to the point where the service is no longer responding or the response is reduced. The basic Denial of Service attack mostly relies upon the weakness in the TCP/IP protocol. Vendor patches and proper network configuration have made most of these Denial of Service attacks difficult or impossible to accomplish.

Flood Attack: In Flood attack, the Victim is flooded with traffic that he cannot handle by the attacker. To perform this attack, the attacker should have faster network connection than the victim.

Ping of Death Attack: The ping of death attack is performed by simply sending ping packets larger than 65,535 bytes to the victim. This attack relies on a bug in the Berkeley TCP/IP stack which also exists in systems using Berkley Network Code. This denial of service attack can be performed with simple one line code.

Ping -l 86600 victim's address

This attack was later prevented by operating system developers by limiting the packet size sent to 65,500.

SYN Attack: In this attack, target is flooded with SYN messages spoofed to appear to be from unreachable Internet addresses. The attacker fills up the buffer space with SYN messages on the target machine, preventing other systems on the network from communicating with the target machine.

Smurf Attack: In the Smurf Attack, the ping request is sent to broadcast address at third-party network which is spoofed to appear to come from the victims network address. The systems in broadcast domain of the third-party will then send ping responses to the victim.

Distributed Denial of Service (DDOS) Attack:

A Distributed Denial of Service (DDOS) attack is a denial of service attack which is performed from a large number of locations across the network. DDOS attacks are usually performed from a large number of compromised systems. These systems may have been infected by a Trojan horse or a worm, or they might have been compromised by being hacked manually. DDOS attacks are the most dangerous attacks because they are very difficult to defend against.

DDOS attacks mainly focus on overloading the resources like CPU cycles, Bandwidth, and memory. The attacker generally floods the resource by sending requests continuously, which in turn makes the resource unavailable for other users. There are many strategies in DDOS attacks, but, the attacks are only targeted at following resources Bandwidth resources, system or CPU resources, and memory resources. The attack against bandwidth resources are performed by flooding the victim's internal network bandwidth with the external traffic coming in from the internet. The external traffic is generated by the attacker directly or indirectly. The attack against memory resources is achieved by sending specific packets; which crashes the network handling software of the victim.

The basic DOS attacks can be prevented by using a good basic level firewall which is available for low price. But, the DDOS attacks are very difficult to prevent, because the attacks are performed from different locations, which makes the network traffic pattern to look similar to the legitimate or regular traffic in the network. Due to the easiness in usage of DDOS attacks, the numbers of vulnerabilities reported are increasing from year-to-year. As seen in the figure below, the attack size of DDOS attacks has grown through years ranging from 400 Mbps in the year 2002 to 49 Gbps in the year 2009. Every year majority of security threats are posed by DOS attacks.

Worldwide Infrastructure Security Report taken from Arbor Networks, Inc. [6]

To get a better understanding on the seriousness of DDOS attacks in the present world, see the below list of popular websites hit by DDOS attacks.

YAHOO down for 3 hours in the year 2000.

PAYPAL down for 8 hours in the year 2010.

FACEBOOK was hit by DDOS attack in the year 2009.

TWITTER down for 3 hours in the year 2009.

VISA and MASTERCARD hit by DOS attack in the year 2010.

As we can see above, all the websites listed use internet as a major source for income. If their sites are unavailable for even a few minutes, they would experience huge financial loses.

DDOS Attack Mechanism:

The key factors in DDOS attack are agents, who receive instructions from the attacker and follow those instructions to attack the victim's computers or servers directly. An attacker performing DDOS attack searches for several IP addresses to make them his victims. Generally, the attacker looks for vulnerabilities in the systems and gains access to them. From an agent, he uses automated techniques to compromise several other systems. The automated process involved in this process is done by using programs called Bots. The bots play main part in a DDOS attack, a bot is specifically coded for a specific purpose. They compromise several computers and form a bot network ranging from thousands to over 100,000. Many DDOS attacks use self updating bots, which downloads code from the "mothership" servers. The attacker often spoofs the IP addresses of the agents to reuse them in the future. The basic DDOS attack mechanism can be explained in following steps

Scanning vulnerable remote machines and exploiting them to be used as agents in the attack.

Creating a Bot Network using the agents.

Making the primary agents as handlers to manage the agents.

Sending the attack code to handlers for launching the attack.

The early DDOS attacks are considered to be manual, where the attacker scans for the remote machines with vulnerabilities and installs the attack code. Now days, the attacks are automated and cause high level damage to the victims. In automated attacks, automated scripts are used to scan for agents. There is no communication between attacker and agents, because the attack time, duration, attack type, and the victim's IP address are mentioned in the attack code. The attacker uses IRC channels for communication between agent and handlers. As the IRC channels offer anonymity to the attacker, the functions of a handler are no longer needed and the agent's outbound connections are established on a standard service port of a legitimate network. So that the communications to the control point, cannot be differentiated from legitimate network traffic. Since there is no communication between the attacker and the agents, a listening port is disabled, which makes it difficult for network scanners to detect the agent.

Practical Demonstration of a simple DOS attack:

A simple DOS attack called Ping flood attack is performed to demonstrate the ease in Denial of service attacks. Even though there are many powerful DDOS techniques to perform, it is illegal according to the laws of United Kingdom to perform them. The reason for performing a simple attack like Ping Flood is because it can be done using two PC's without disrupting the network services of other people, and it does not cause much damage. A Ping flood attack is the most common DOS attack technique and it is one of the oldest among the network attacking techniques. A ping is generally used to test the end-to-end connectivity in IP networks. In a ping flood attack, the attacker sends ICMP echo request packets to the victim and receives the ICMP echo reply packets from the victim. By doing this, the attacker consumes the incoming and outgoing bandwidth of the victim, thus making his system unable to use any other network services. But for this attack to succeed, the attacker's network should have more bandwidth than the victim's network. To perform this attack, a simple one line command is executed in Command prompt.

Ping -t -l 65500

The alphabet in the command, "T" means send packets continuously and the alphabet "L" is used to specify the size of the packets.

As seen above, the attacker is sending ICMP echo requests continuously with a length of 65500.

The packet sizes allowed by current operating systems are between 0-65500. Previously there was a bug in many operating systems, where the operating systems used to crash while handling packets with size more than 65535 by using fragmentation techniques. This bug was fixed in the year 1997-98.

This simple DOS attack can be prevented by using a Firewall to filter incoming ICMP echo request packets.

As seen above, Ping Flood attack has stopped after implementing the firewall in between the attack.

DDOS Attack Tools:

The prime reason for huge number of DDOS attacks in the internet is due to the availability of wide range of attacking tools. Very powerful attacking tools are available in the internet, which are released by the developers for free of cost. There are various different types of tools which are released every year to overcome the new protection mechanisms in place for security. Few common attacking tools are as follows

Trinoo: Trinoo which is also called as "Trin00" is famous for its usage in a distributed denial of service attack against Yahoo in the year February, 2000. It comprises of a master program and several agents on compromised systems. The master program is activated by the attacker using TCP, and the master program activates the agents via UDP on port 27444. The agents start to flood the victim's network with traffic. Trinoo uses UDP packets in flooding the victim network. Trinoo deploys Master / Slave architecture where the master and the slave are password-protected to prevent the WinTrinoo from taking over. Trinoo can be easily detected because it uses TCP.

The following TCP Ports are used by Trinoo for its operation

Attacker to Master: 27665/TCP

Master to Slave: 27444/UDP

Slave to Master: 31335/UDP

TFN: Tribe Flood Network (TFN) is a DDOS tool which is used to flood the target at by using several hosts at once. Four kinds of floods can be performed using TFN, ICMP Echo flood, Smurf Attack, UDP Flood, and SYN Flood. ICMP echo relay packets are used by the TFN attacker and master to communicate with each other.

TFN2K: Tribe Flood Network 2000 is similar to its predecessor TFN but it overcomes the countermeasures taken for its predecessor. Communications are made between master and the agents through ICMP, TCP, and UDP or all three together.

Shaft: Shaft follows the same working procedure of Trinoo, except for port numbers used for communication. The shaft network comprises of one or more handlers and several clients, where the attacker uses TELNET for communication. The control between handlers and the ports is switched in real time, which makes it difficult for the Intrusion Detection tools to detect. The communication between handlers and agents is done by transferring UDP packets. The attacker uses TCP connection to communicate with the handlers.

Attacker to handler: 20432/TCP

Handler to agent: 18753/UDP

Agent to handler: 20433/UDP

MStream: In MStream, the victim is flooded with TCP ACK. It uses TCP and UDP for communication, Telnet is used for communication between the handlers and agents, and the communications are not encrypted. A password protected login is used by the attackers to control the handlers remotely.

Stacheldraht: Stacheldraht is based on the source of both Trinoo and TFN attacks. UDP flood, SYN flood, and smurf attacks can be implemented by Stacheldraht. The attacker and handlers use encrypted TCP connection for communication between them. ICMP and TCP are used for communication between handlers and agents. All the communication channels are encrypted except for the ICMP heart beat packets sent by the agent to the handler.

Defence principles:

The first principle of defence is to set a distributed defence instead of centralized defence, because it is a distributed attack using high rate of packets.

The second principle of defence is to ensure less collateral damage by High Normal Packet Survival Ratio (NPSR).

The third principle of defence is to deploy a model, where a centralised control is not needed, because the Autonomous Systems does not have centralised control in Internet.

The fourth principle of defence is to set a defence system which restricts the attack traffic before reaching the victim and differentiate the malicious traffic flow from legitimate traffic flow by using different attack signatures for different sources.

The fifth principle of defence is to deploy a mechanism which blends in with the existing architecture of the system and should invoke only when the attack is detected.

The sixth principle is to counterattack the attack source with an easy and efficient solution. It should be fast and flexible in detecting changes in attack pattern.

Defence Challenges:

Even though there are number of prevention techniques developed for DDOS, the attacks are still continuing to happen. At this moment (March 2nd 2011), is under a largest DDOS attack they have encountered in last 6 years. Although DDOS attacks have been happening for over a decade, there is no perfect solution for it. There are several difficulties in developing a perfect DDOS prevention mechanism, they are as follows

Distributed Response System is required for preventing the DDOS attacks effectively, where the response will be deployed in the many points of the internet to stop the diverse agents from attacking. There are several types of DDOS attacks. Among them only few attacks can be stopped while happening, other attacks have to be prevented from happening. It is difficult to deploy the Distributed Response System diversely, because the internet is vast, even if the system is deployed, it cannot be guaranteed. So it does not encourage developers to develop applications based on this.

Lack of Attack Information is a main reason for under development in DDOS prevention techniques. Many DDOS affected victim's does not publicly disclose the fact that they were attacked, as it brings bad reputation to victim's organisation and the incidents are only reported to government organisations under the obligation of keeping them as a secret. Therefore the information about the attack type, duration of the attack, and number of agents is not available, which makes it very difficult to develop innovative techniques. Even though the attack tools are available on many internet sites, they are of no use.

Lack of Benchmarks, vendors make comments that their DDOS defence mechanism are best, which cannot be proved as there are no standardized testing approached for it. The Vendors develop the software and designers test the software in an advantageous way to them. As there are no benchmarks defined, the researchers can only compare the design issues with the existing defence mechanisms, but not the actual performance.

There are currently few problems for which researchers are looking for solutions, they are as follows.

Use of legitimate traffic in DDOS attacks.

The holes in Internet, for attacking.

The hidden identity of agents.

DOS Prevention & Detection Techniques:

There are many DOS defence techniques developed and used from a decade. In this paper, few effective and widely used defence techniques will be discussed. The wide range of defence techniques are classified into different types. General Techniques, which are common techniques used by ISP's and individual servers for not becoming a part of DDOS attacks. Filtering Techniques, where ingress filtering, egress filtering, router based packet filtering, secure overlay service (SOS), Capability based filtering, history based IP filtering, and Source Address Validity Enforcement protocol are used. Detection Techniques are used to detect the attack before it causes serious damage to the victim's network. There are basically two groups of detection techniques; the first one is DOS Attack Specific detection, which uses the special features observed in DOS attacks. The second one is called Anomaly based Detection, which reports anomalies based on the behaviour of normal traffic. Reactive techniques are usually performed after the detection of attack. In these techniques, the attack is detected and the immediate measures will be taken to the stop the attack and trace the source of the attack. To determine the source of attacks, techniques like IP traceback, ICMP traceback, Link Testing traceback, and Probabilistic Packet marking are used.

General Techniques:

Disabling IP broadcast; the IP broadcast address is sent large amount of ICMP echo traffic with a spoofed source address from the attackers. To defend this attack, the host machines and all the other neighbouring networks should disable IP broadcast.

Installing latest patches; the agents in DDOS attacks are formed by using the vulnerabilities in their systems. By installing latest security patches for all the applications, the systems will not be exploited.

Disabling unused services; by disabling unused network services, applications and open ports in hosts the vulnerabilities in the system can be reduced. Therefore prevents the systems from attackers.

Firewalls; the simple flood based attacks can be stopped by firewalls. Firewalls use simple rules like allowing or denying IP addresses, ports, and protocols. But, complex attacks using the port 80, which is used for web services cannot be stopped effectively by the firewalls, because it cannot differentiate the legitimate traffic from malicious traffic.

Global Defence Infrastructure; Global Defence Infrastructure uses different filtering rules which are deployed on the routers in the important parts of internet. This technique is only possible theoretically, because in internet everyone use their own security policies.

IP hopping; By using IP hopping, the victim's server IP address can be proactively changed time to time from a pool of homogenous servers. Once the victim's IP address is changed, all the edge routers will drop the attack packets. This prevention technique can be successful in only few cases, where the attack is mainly based on the IP address of the victim. This technique can be rendered useless by the attackers if they use a tracing function for Domain Name Service in their attack.

Load Balancing; it is done by increasing the bandwidth on critical connections and providing security to prevent them from going down. Additional protection techniques like replicating the server's, to replace the servers under attack.

Filtering Techniques:

Ingress Filtering; In Ingress filtering, the inbound traffic's IP addresses should match with the Ingress router's domain prefix, otherwise packets from those IP addresses will be dropped. The Ingress filtering can also be used for port numbers, and protocol type. The main part of Ingress filtering technique is having knowledge about the expected IP addresses at a port, which is very difficult to obtain in some cases where the topologies of the networks are complicated. To gain this knowledge reverse path filtering technique is used. In this technique, the router looks for the networks it can reach through its interfaces. It looks up for source address of incoming traffic and checks whether the packets are traversing out of the same interface which they used for coming into the network. If they match, those IP addresses are allowed. This attack can be rendered useless, if the attacker spoofs the IP addresses from within the subnet. The main aim of this technique is to stop the DOS attacks with spoofed addresses. But, now days the attackers are exploiting as many as 10000 hosts to launch an attack. The attacker can use legitimate IP addresses of the agents to launch the attack, which ingress filter cannot detect. Thus, Ingress filter is ineffective in preventing DDOS attacks.

Egress Filtering; In Egress filtering, the outbound traffic leaving the network is monitored and the traffic which does not meet the security policies is dropped. Egress filtering helps in controlling the malicious traffic from leaving the network. The Egress filtering is very similar to the Ingress filtering technique. The main disadvantage of Egress filtering is, access to external networks is denied for internal users. But, the attack can be made inside the network, where there is no extensive protection. The Egress filtering techniques cannot be used for consumer networks, and small office environments.

Router Based Packet Filtering (RPF); The RPF is based on a principle that, every link has a limited set of source addresses in the core of internet. The packets are assumed to be spoofed, when an IP packet appears with an unexpected source address and only those packets are filtered. The spoofed source addresses are filtered by RPF by using the information from the Border Gateway Protocol (BGP) routing topology. The spoofed addresses can be significantly filtered by using RPF in at least 18 percent of the Automated Systems (AS) in the internet. The RPF technique has several limitations. The first limitation is complexity in implementing it practically in the Automated Systems. There are almost 10,000 AS's internet, which means RPF has to be installed in at least 1800 AS's, a very difficult task to achieve. The second limitation is, if there is any route change in legitimate traffic, the legitimate packets might be dropped by RPF. The third limitation is, the filters are configured using the valid BGP messages. If the attacker changes the BGP messages by hijacking a BGP session, then the filter rules can be set in attacker's favour. The RPF is not very effective against DDOS attacks. The RPF is vulnerable to dynamic internet routing, because it cannot update the routing information.

History based IP Filtering; The History based IP filtering uses IP Address Database (IAD) to store frequent IP addresses. In a normal network traffic, the IP addresses seen tend to remain stable. But, during a DOS attack, the source IP addresses are never seen before. By using the above concept, when there is any suspicion about an attack, the source IP addresses are compared with the IP addresses in the IAD and if they are not present in the IAD, the packets from those IP addresses are dropped. In order to ensure fast searching of IP addresses in IAD, Hash based techniques are used. This technique is very robust and easy to implement. There are few limitations in this technique; it is ineffective when the attacks are from legitimate IP addresses. The History based IP filtering needs an offline database to store the IP addresses, which is very costly.

Secure Overlay Service (SOS); The Secure Overlay Service (SOS) is used to provide secure communication between users and the victim. Secure overlay Access Point (SOAP) is used to verify the traffic from a source point. Only the authenticated traffic is routed by consistent hash mapping to a Special Overlay Node called Beacon, which forwards the authenticated traffic for further authentication to another Special Overlay Node called Secret Servlet. The Secret Servlet forwards only traffic chosen by the victim. The SOS succeeds in establishing a way for communication between victim and legitimate users during a DDOS attack. The main strength of SOS is its SOAP's in distribution level. But, the deployment of SOAP's widely is a difficult task. If attacker uses worm spread, the deployed SOAP's will be useless, and the target's network will be disrupted.

Source Address Validity Enforcement (SAVE); The basic objective of SAVE protocol is to provide the information about the expected range of IP addresses at each interface to the router. In SAVE protocol, the information about the expected Source IP addresses on each link is updated by routers, and the packets with unexpected IP addresses are blocked. The messages are constantly propagated with valid source address information from the source to all the destination locations, similar to the existing routing protocols, which allows all the routers along the way to develop an incoming table for associating each link of the router with a set of valid source address blocks. SAVE uses Incoming Tables to filter packets with spoofed IP addresses. The Incoming Tables are updated periodically to overcome the asymmetries of internet routing. SAVE is effective only when it is deployed universally, which is difficult to accomplish. The SAVE protocol is useless when the DDOS attacks use non spoofed IP addresses.

Detection Techniques:

DOS Attack Specific Detection; Generally, an attacker sends large amount of traffic to the victim's to make the attack powerful. By sending huge amount of traffic, the victim will not be able to reply to all the packets, which creates an imbalance in flow rate between attacker and the victim.

The scheme developed using the Attack specific detection is called MULTOPS, which monitors the packet rate in both the source and destination to detect a DOS attack. The MULTOPS operates by assuming that the traffic between the source and destination are proportional during a normal operation. If there is a disproportional difference between the traffic in source and destinations, it indicates a DOS attack. The main disadvantage of MULTOPS is, it monitors packet rates for each IP address using dynamic tree structure, where the tree can become an easy target for Memory Exhaustion attack. To avoid this, another technique called TOPS was developed, which uses Hashing scheme to imbalance in Packet flows.

There are many limitations in MULTOPS scheme, where it assumes incoming and outgoing packet rates are proportional, which is not always true. For example, the real video streams are highly disproportional, where the packets coming in to the client are higher than the outgoing traffic.

Anomaly based Detection; there are basically two network based detection techniques, Signature based Detection, and Anomaly based Detection. The Signature based Detection technique matches the monitored traffic with the known characteristics of malicious traffic. It might be very easy for the attackers to attack without being detected, by using different attack content and traffic. But, the Anomaly based detection technique creates a normal traffic profile and matches it with the monitored traffic, to detect the DOS attack. The most important part of Anomaly based detection is developing a normal traffic profile by using training data. The statistical modelling is used in developing the profile by using different parameters like IP packet size, and IP packet length. There are two main parts involved in statistical anomaly detection; the first part is generating similarity measures to find the effective parameters such as IP packet length, IP packet rate and etc. Neural Network classification and Statistical Pre-processing techniques are used to solve this important issue. In the second part, the similarity between monitored traffic and the normal traffic is calculated by using statistical methods such as Kolmogrov-Smirnov test and X2 test, to provide similarity metrics for differentiating the expected traffic and monitored traffic. If the difference is more than the given threshold value, a DOS attack is detected.

The DOS attacks generate large amount of traffic from small number of sources, which is abnormal when compared with normal traffic pattern. This abnormality helps in detecting the DOS attacks effectively. But, detecting DDOS attacks is very difficult because it uses large number of hosts, where each host behaves as a legitimate user. The only hope in detecting DDOS attacks is by monitoring the number of new IP addresses seen by the target. The main problem in anomaly based detection is; it is very difficult and nearly impossible to develop a profile with all kinds of normal traffic behaviour. The anomaly based detection is useless, if the attacker uses large number of hosts to attack the victim using normal and legitimate traffic.

Analysing DDOS attack tool - LOIC:

The LOIC (Low Orbit Ion Cannon) is basically a stress testing tool which is used by the attackers to perform DDOS attacks. This tool was used as a part of Operation Payback by a group called "Anonymous" to take down many large and popular websites like,,, and This tool is available as an application and also as a webpage.

The tool performs a simple DOS attack by sending a sequence of TCP, UDP, and HTTP requests to the victim. The LOIC tool allows the attacker to specify the victim's address, attacking method (TCP, UDP, and HTTP), and other customizable parameters such as customizing the messages sent, the number of concurrent threads used etc. The tool also uses IRC (Internet Relay Chat) protocol to remotely access the user, by using this method the user becomes a part of Bot-network.

This tool operates in two modes, Manual mode and Automatic mode. In manual mode, the user has to specify the target's address and all the other parameters. In automatic mode or Hive Mind, the user voluntarily joins to be part of a bot network, where all the details are specified remotely by using IRC. The user has to specify the name of the channel and the address of the IRC server, to operate in Hive Mind or automatic mode.

The LOIC tool supports three types of attacks with different packet types TCP, UDP, and HTTP. All the attack types open several connections to the victim and continuously send a pre defined string. In the case of UDP and TCP attacks, the pre defined string is set in plain text where as in the case of HTTP attacks; it is set as HTTP Get message. The tool does not make any attempt to protect the identity of the users; it gives away the real source IP addresses where the ISP's (Internet Service Providers) can trace the IP address to the users and easily identify them.

The usage of LOIC is very simple, which makes it extremely dangerous. The users with no knowledge about the tool can use it for fun and unknowingly become a part of extremely dangerous attack. The easiness in usage is explained as follows,

The user has to enter the victim's URL into the URL box provided and press the button LOCK ON to get the IP address of the victim.

Then the user has to enter the Victim's IP address which was obtained previously into the IP box and has to click the button LOCK ON.

Then the user can customise the settings like providing number of threads, attack type, and the content of the message to be sent. Otherwise, he can start the attack by just clicking the button "IMMA CHARGIN MAH LAZER".

As we can observe in the above steps, that a dangerous attack which brought down websites like, can be launched with just 3 clicks.

Analysing the Source Code of LOIC:

The source code of LOIC is written using C#. The source code is released online through sites like There are three main blocks of code which perform the major functions in the attack, and the rest of the code is used to build interfaces. The three main blocks of data are named as,




Main Form:

The frmmain.cs is a file used to generate the functions in user interface. In this block of data, the IP address of the victim's site is resolved by using dns.gethostentry( ) method in C#. The following code is implemented in the application.

The code in the above diagram checks whether the user has filled in the website address or not. If the address is filled, then the application resolves the IP address of the website.

When the "IMMA CHARGIN MAH LAZER" button is pressed, the valid address, payload, and port numbers are checked before running the DDOS attack.

IRC and HIVE mode:

The Hive mode is activated, when a user ticks the Hive mind option by providing the IRC server address, port number and channel. When a hive mode is successfully activated, the commands are passed onto the client through IRC. The following block of code uses windows forms in order to set IRC server, port number and channel. The default port and channels are set to be 6667 and #loic, as it can be seen in the code. The following command is sent to the client connected in Hive mode for setting the parameters using IRC sets.

Default targethost=  subsite=/ speed=3 threads=15 method=tcp message=Enjoy_the_DDoS port=80 start.

The following code is used to set the default parameters for the application in IRC mode or Hive mode,

HTTP Flooding:

The HTTPFlooder.cs file uses the following code to create a variable called buf and places it in a while loop, which is sent through a socket. By using this code, the program simply makes legitimate web page request from a web server. But, by putting it in a while loop the process continues until the user stops it.

byte[] buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0} HTTP/1.0{1}{1}{1}", Subsite, Environment.NewLine));


socket.Send(buf, SocketFlags.None);

TCP Flooding:

The XXPFlooder.cs is used to flood the networks using TCP connection. Similar to the previous HTTP flooding, the TCP Flooding is achieved by sending data through a random TCP connection continuously by placing the code in while loop.

Proposed Defence Mechanisms for LOIC:

As of now, there are no security products released for protecting networks from LOIC tool. It was evident by the magnitude of attacks launched using LOIC, that it is going to be a challenge for developers in bringing out a good defence mechanism. This paper proposes a prevention technique, which might be a good solution for LOIC attacks.

Throttle Connections per Single IP:

In this technique, the connections per IP are limited to save the bandwidth of the server from DDOS attacks, spammers, etc. This technique restricts the connections allowed for each source to a maximum of 100. The reason for allowing 100 connections per source is because some browsers use up to 40 connections per IP. So, by keeping the maximum of 100 per source, the legitimate users will not be affected. It also limits the connections based on the span of seconds or per second; for example, limit the connections to 15 in a span of 5 seconds. If any IP address crosses the maximum, those IP addresses are added to an IP table and are restricted from making connections again. This technique is implemented by setting rules in firewalls according to the features discussed above.

Classification of DOS and DDOS Defence techniques:

There are many DOS and DDOS defence techniques implemented from many years, where each technique had its advantages and disadvantages. This paper classifies those defence techniques into different categories based on the attack environments, where the usage of each technique is advantageous in protecting the victim.

Technique used

Best Suited Environment